Use Microsoft Entra ID Conditional Access policies in Cloudflare Access
With Conditional Access ↗ in Microsoft Entra ID (formerly Azure Active Directory), administrators can enforce policies on applications and users directly in Entra ID. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users.
Before you begin
Make sure you have:
- Global admin rights to Microsoft Entra ID account
- Configured users in the Microsoft Entra ID account
Set up an identity provider for your application
Refer to our IdP setup instructions for Entra ID.
Add API permission in Entra ID
Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Entra ID.
-
In Microsoft Entra ID, go to App registrations.
-
Select the application you created for the IdP integration.
-
Go to API permissions and select Add a permission.
-
Select Microsoft Graph.
-
Select Application permissions and add
Policy.Read.ConditionalAccess
. -
Select Grant admin consent.
Configure Conditional Access in Entra ID
- In Microsoft Entra ID, go to Enterprise applications > Conditional Access.
- Go to Authentication Contexts.
- Create an authentication context ↗ to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example,
Require compliant devices
). - Next, go to Policies.
- Create a new Conditional Access policy ↗ or select an existing policy.
- Assign the conditional access policy to an authentication context:
- In the policy builder, select Target resources.
- In the Select what this policy applies to dropdown, select Authentication context.
- Select the authentication context that will use this policy.
- Save the policy.
Sync Conditional Access with Zero Trust
To import your Conditional Access policies into Cloudflare Access:
- In Zero Trust ↗, go to Settings > Authentication.
- Find your Microsoft Entra ID integration and select Edit.
- Enable Azure AD Policy Sync.
- Select Save.
Create an Access application
To enforce your Conditional Access policies on a Cloudflare Access application:
-
In Zero Trust ↗, go to Access > Applications.
-
Create a new self-hosted application.
-
In Application domain, enter the target URL of the protected application.
-
For Identity providers, select your Microsoft Entra ID integration.
-
Finally, create an Access policy using the Azure AD - Auth context selector. For example:
Action Rule type Selector Value Allow Include Emails ending in @example.com
Require Azure AD - Auth context Require compliant devices
Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context.